Dear Valued Supporter:
The Santa Cruz SPCA is committed to partnering with you in a wholly transparent and honest manner. Out of an abundance of caution, we are writing to advise you of a data security incident involving one of our trusted vendors, Blackbaud Inc.
Blackbaud is a well-respected provider of cloud and data services used by more than 25,000 prominent nonprofit organizations in more than 60 countries, including animal welfare organizations, universities, healthcare organizations, arts and cultural organizations, foundations, and many other nonprofits. Santa Cruz SPCA uses Blackbaud’s fundraising technology platform to manage our extensive donor and constituent database.
The Santa Cruz SPCA has been informed by Blackbaud of a data security incident that impacted our donor database and may have involved personal information about supporters. A longer explanation follows, but first and foremost you should know that donor credit card information and banking information were NOT accessed and remain encrypted.
HISTORY OF THE BLACKBAUD RANSOMWARE ATTACK
Blackbaud discovered a ransomware attack in May of 2020 that included the donor and constituent databases of many different organizations. The company took time to determine which organizations were impacted before communicating directly with affected parties in July. Blackbaud has stated that its Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking Blackbaud’s system access, and Blackbaud ultimately expelled the cybercriminal from its system. Prior to locking the cybercriminal out, however, the cybercriminal removed a copy of a backup file.
To protect personal customer data, Blackbaud paid the cybercriminal’s demand with confirmation that the removed copy had been destroyed.
(Read Blackbaud’s statement about the incident.)
WHAT INFORMATION WAS INVOLVED
Blackbaud has assured us that credit card information and banking information were not accessed by the cybercriminal and remain encrypted. However, Blackbaud has determined that the information removed and presumably destroyed may have included: names; contact information, including telephone numbers, email addresses, dates of birth, and mailing addresses; and a history of donor relationships with our organization, such as donation dates, amounts, and other information in donor profiles.
Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud does not believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
WHAT BLACKBAUD IS DOING
Blackbaud states that it already has implemented several changes that will protect data from any subsequent incidents. First, its teams identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took action to fix it. Blackbaud has tested its fix with multiple third parties, including the appropriate platform vendors, and assured us that it withstands all known attack tactics. They also are accelerating their efforts to further protect data through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.
WHAT WE ARE DOING IN RESPONSE
The Santa Cruz SPCA places the highest importance on acting as responsible stewards of our donor’s information and we will continue to do so. We are notifying our donors and constituents about this incident, via email and a website statement, consistent with our goal of being transparent.
Although this particular incident was completely outside of our control, we continue to review our own internal IT security and data governance standards. We are also staying abreast of the most recent developments to monitor this situation and to ensure full transparency and accountability moving forward.
WHAT YOU CAN DO
We want to emphasize again that Blackbaud has assured us that no credit card, bank account, or other information of that nature was compromised. However, as a best practice, we recommend that supporters remain vigilant by reviewing their account statements and credit reports closely and reporting any suspicious activities.
- If you receive unsolicited requests for donations from us or other nonprofits, then call the number on the organization’s website to confirm the legitimacy of the solicitation.
You can obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com, calling toll-free 877-322-8228, or completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.
- If you detect any suspicious activity, then promptly notify the financial institution or company where the account is maintained. You also should report any fraudulent activity or suspected incidence of identity theft to law enforcement authorities, your state attorney general, and/or the Federal Trade Commission.
To file a complaint with the FTC, go to www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338). The Federal Trade Commission offers tips on how to avoid identity theft. For more information, please visit http://www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338).
SANTA CRUZ SPCA’S COMMITMENT
While data breaches and ransomware attacks are becoming more common, this is not something the Santa Cruz SPCA ever wants to happen to our valued supporters. The privacy of our constituents and the stewardship of donor information is of the utmost importance to us.
Blackbaud has apologized to Santa Cruz SPCA for this security incident, and we now want to sincerely apologize to you for any inconvenience this incident may cause you. If you have any questions or concerns regarding this matter, please do not hesitate to contact me at firstname.lastname@example.org or by calling 831/465-5000.
As always, we are deeply grateful for your very generous support of the Santa Cruz SPCA. We know that every gift made to Santa Cruz SPCA is a choice. Thank you for helping to provide a safe harbor for the homeless animals in our community. We simply could not do this work for the animals without you.